diff --git a/roles/common/tasks/backup.yml b/roles/common/tasks/backup.yml index 608c6fd..09e326b 100644 --- a/roles/common/tasks/backup.yml +++ b/roles/common/tasks/backup.yml @@ -4,8 +4,8 @@ # -> via autofs + sshfs (permet de libérer la connexion en dehors de la phase de backups) # 2. Chiffrement avec clé symétrique. La clé n'est connue que par l'host # -> Stocker la clé dans un lieu sûr -# 2. D'autres machines se connectent pour récupérer les backups (rsync): -# 1. En sftp chrooté via l'user "backup-sync" +# 2. D'autres machines se connectent pour récupérer les backups: +# 1. Seul rsync est autorisé (rrsync), pour l'user "backup-sync", et "chrooté" sur le point de montage de la storage box # 2. Donner accès SSH pour ces machines à l'user "backup-sync" # Note: L'user "backup" est déjà utilisé par Ubuntu, donc ne pas l'utiliser pour éviter des conflits (mauvais home, etc.) @@ -24,6 +24,26 @@ mode: "755" when: not storage_box_enabled +- name: Install rsync package + apt: + name: rsync + state: present + +- name: Check location of rrsync script + stat: + path: /usr/share/doc/rsync/scripts/rrsync + register: _rrsync + +- name: Copy rrsync script + file: + src: /usr/share/doc/rsync/scripts/rrsync + dest: /usr/local/bin/rrsync + state: link + owner: root + group: root + mode: "755" + when: _rrsync.stat.isreg | default(false) + - name: Include Storage Box backup tasks import_tasks: backup_storage_box.yml when: storage_box_enabled diff --git a/roles/common/tasks/nginx.yml b/roles/common/tasks/nginx.yml index ab445a4..eba8aad 100644 --- a/roles/common/tasks/nginx.yml +++ b/roles/common/tasks/nginx.yml @@ -37,6 +37,7 @@ group: www-data async: 3600 poll: 0 + changed_when: no register: nginx_dh - name: Use snakoil cert key as Nginx's default private key diff --git a/roles/common/tasks/repos.yml b/roles/common/tasks/repos.yml index d9f987f..914397a 100644 --- a/roles/common/tasks/repos.yml +++ b/roles/common/tasks/repos.yml @@ -9,4 +9,12 @@ - name: Install unattended-upgrades for automatic upgrades apt: name: unattended-upgrades - state: present \ No newline at end of file + state: present + +- name: Install common packages + apt: + name: "{{ package }}" + state: present + loop: "{{ common_packages }}" + loop_control: + loop_var: package \ No newline at end of file diff --git a/roles/common/templates/openssh/sshd_config.j2 b/roles/common/templates/openssh/sshd_config.j2 index 7b00c99..6bfbf96 100644 --- a/roles/common/templates/openssh/sshd_config.j2 +++ b/roles/common/templates/openssh/sshd_config.j2 @@ -16,8 +16,7 @@ AcceptEnv LANG LC_* Subsystem sftp internal-sftp -Match Group {{ backup_owner }} +Match Group {{ backup_group }} X11Forwarding no AllowTcpForwarding no - ChrootDirectory {{ backup_chroot_dir }} - ForceCommand internal-sftp + ForceCommand rrsync {{ backup_chroot_dir | quote }} \ No newline at end of file diff --git a/roles/common/vars/main.yml b/roles/common/vars/main.yml index a3ce5b1..9a554a6 100644 --- a/roles/common/vars/main.yml +++ b/roles/common/vars/main.yml @@ -1,3 +1,7 @@ +common_packages: + - vim + - ncdu + - htop ssh_config_dir: "{{ ansible_env.HOME }}/.ssh" storage_box_prefix: storage-box storage_box_packages: